With security threats increasing and regulation tightening, companies are demanding greater IT accountability - and that can mean being forced to walk the plank after a breach.
AOL fired a researcher and a manager last week, and CTO Maureen Govern resigned after the Dulles, Va., company posted data on search queries made by 650,000 AOL subscribers. Ohio University dismissed two senior IT people this month following news of five security vulnerabilities that exposed the sensitive records of 137,000 alumni.
Fallout from the Department of Veterans Affairs' security debacle is ongoing. The agency fired the analyst who took home a laptop containing data on 26 million veterans that was stolen when burglars broke into his home. The ensuing examination of the agency's security practices led to the departure of several other VA employees, including CISO Pedro Cadenas, who resigned last month.
More:
One IT exec's take on accountability
What do you think? Discuss in our accountability forum.
Security accountability is long overdue, says John Pescatore, a security analyst at Gartner. When a series of worms hit in 2001 and paralyzed businesses, IT staff threw up their hands and blamed vendors. "Five years ago, nobody was responsible and nobody had authority," Pescatore says.
That doesn't fly today. If a company is spending 5% of its IT budget on security, it expects a payoff. "The business side of the organization has learned to live with accountability and is able to talk about revenues and returns," Pescatore says. "IT is getting dragged there, too."
It's not always a reasonable position, says Khalid Kark, an analyst at Forrester Research. IT managers and security managers aren't the ones setting corporate policies, yet they're responsible for enforcing the policies and ensuring security, he says. Recent breaches have led to a surge in security consciousness in the executive suite, but it will take time to filter through the organization. "Meanwhile, corporate boards need to have a scapegoat, and they've got one."
IT executives say their jobs are now on the line if an IT event compromises security or impedes business performance. They're taking the heightened exposure in stride, however.
Greater accountability is a natural consequence of IT becoming more central to business operations, says Chris Majauckas, computer technology manager for Metrocorp Publications in Boston.
"Upper management is aware that it is impossible to foresee every possible negative event, but they do expect those events to be handled promptly and properly," he says.
"The days of upper executives that aren't IT-aware are gone," adds Bruce Meyer, senior network engineer at ProMedica Health System in Toledo, Ohio. "They don't need assistance to print out their e-mail anymore. They understand the business impact of not having systems working. It costs money, and they're accountable for the bottom line. When things break they want to know why, and what was done to protect against it happening again."
Rss FeedRss Feed
The Leader in Network Knowledge
Comment